Track dir removal by any means

Hi Guys,
I'm new (& self-taught) to DTrace and needed to write a program to track a specified dir and find out who/when/how etc if it got removed/renamed etc.
As you can see from the below code, I've been caught by 1 or 2 gotchas during my testing. This is a serious prog, going into production asap, so any comments towards making it better/more robust would be appreciated.
Cheers
Chris
# Desc    : Track dir deletions of specified dir in specified zone.
#           Attempts to handle path issues on cmd and/or dir/dir.
#           Tries to catch any form of removal eg shell cmds:
#           rm, rmdir, unlink, mv and 'internal' code cmds inside Perl, C etc.
#           Note that normally this prog is controlled by
#           dt_dir_removal_mgr.pl, which reads the stdout & stderr,
#           filters false positives etc & logs and emails any alerts.
#           We do not allow the path of the tgt dir to be used,
#           as this may not be specified by the offending user/app...
#           thus we may get some false positives eg a file of the same name.
#           Local zonename is avail from DTrace, but filesystem and inode
#           are not avail from psinfo struct.
#           Not matching on zone because tgt dir can be deleted from global,
#           although the users should not be able to get in there.
usage()
    echo "USAGE: dt_dir_removal.sh -d dirname -z zonename
            -d dirname      # dirname to track : must NOT inc path
        eg,
            dt_dir_removal.sh -d testdir
    exit 1
# --- Process Arguments ---
# Arg supplied ?
if [[ $# -eq 0 ]]
then
    usage
fi
# Check switch value & arg value : see usage()
while getopts d: name
do
    case $name in
    d)  dirname=$(basename $OPTARG) ;;
    *)  usage ;;
    esac
done
# --- DTrace ---
# NB: seem to need the single quotes around the DTrace code ...
# This also means the even the contents of comment blocks CANNOT have single quotes
# in them eg don't, won't etc... (sigh...)
/usr/sbin/dtrace -n  '
/* Params from shell input */
inline string DIRNAME  = "'$dirname'";
#pragma D option quiet
#pragma D option switchrate=10hz
  * Print header
dtrace:::BEGIN
    /* print main headers: We cannot line up final arg hdr exactly
     * because the cmd len varies
    printf("%-20s %-12s %5s  %5s  %6s  %6s  %s -> %s\n",
           "TIME", "ZONE", "GID", "UID", "PID", "PPID", "CMD", "TARGET") ;
  *  Check exec event type
syscall::unlink:entry
    /* Grab the dirname in qn to test later: remove any preceding path */
    /* Experiment seems to indicate unlink will not have this value in the return state ;
     * contrast with rmdir below which may not have it in entry state
    tgt = basename(copyinstr(arg0));
/* http://docs.sun.com/app/docs/doc/817-6223/6mlkidlrg?l=en&a=view#indexterm-458 :
* Avoiding Errors
* The copyin() and copyinstr() subroutines cannot read from user addresses which have not yet
* been touched so even a valid address may cause an error if the page containing that address
* has not yet been faulted in by being accessed.
* To resolve this issue, wait for kernel or application to use the data before tracing it.
* For example, you might wait until the system call returns to apply copyinstr()
syscall::rmdir:entry, syscall::rename:entry
    /* Try saving a ptr to the relevant value for later, otherwise it gives invalid addr error
     * in return section below
    self->file = arg0;
syscall::rmdir:return, syscall::rename:return
    /* Grab the dirname in qn to test later: remove any preceding path */
    tgt = basename(copyinstr(self->file));
/* Not matching on zone because tgt dir can be deleted from global,
* although the users should not be able to get in there.
syscall::rmdir:return, syscall::rename:return, syscall::unlink:return
/ DIRNAME == tgt /
    /* Print the field values. The TARGET tends not to line up as we
       print the cmd and the target name for completeness. For a shell level cmd,
       we will get the target name in the CMD field as well. For an "internal" cmd,
       eg rmdir() from within perl, the CMD field does not contain the target value.
    printf("%-20Y %-12s %5d  %5d  %6d  %6d  %s -> %s\n",
            walltimestamp, zonename, gid, uid, pid, ppid,
            curpsinfo->pr_psargs, tgt ) ;
    /* Clear the self->file ptr to avoid dynamic variable drop errors */
    self->file = 0;
'

Hi,
I started by looking at that originally, but it didn't seem to be capable of just doing the very fine tracking I wanted; just one dir that's unlikely to be removed, but when it is we need to know IMMEDIATELY and incidentally by whom and how.
BSM/audit seemed to only be able to audit at a much higher/coarser level and would generate a lot of logging and you'd be looking at it after the fact.
My soln works nicely generally, but I have just got this
dtrace: error on enabled probe ID 6 (ID 11792: syscall::rename:return): invalid address (0x0) in action #1 at DIF offset 28I've got a ctrl prog that keeps an eye on the DTrace prog and just restarts it if this happens. Seems to work ok, but I'm going to have another look at solving that error...
Cheers
Chris

Similar Messages

  • Cannot sync ipad. statement "ipad cannot be synced because there is not enough free space to hold all of the selected items (additional 157.3 mb required) There is 1.86gb available on ipad and i am trying to remove items. any thoughts...

    annot sync ipad. statement "ipad cannot be synced because there is not enough free space to hold all of the selected items (additional 157.3 mb required) There is 1.86gb available on ipad and i am trying to remove items. any thoughts...

    If you haven't changed your sync preferences, meaning that you are not trying to add more content from the last time that you synced with iTunes, try quitting iTunes, restart your computer and then try again.
    If you are trying to add more content to the iPad than what you had before, you can only use so much of the available storage capacity that is left on the device. You probably need to leave about 10% of the space free so if you have a 16GB iPad, you might not have enough space left to sync that content that you are trying to sync.

  • Any means to print the output from an abap report immediately

    Hi,
    I would like to know if there are any means to print the output of an abap program immediately. Our user wants to execute the program online and once the result list is displayed on screen, user wants the same list to be printed simultaneously without the need to press the 'Print' button.
    Thanks in advance for your help and advises.
    Francis

    Hi
      We can print the list while displaying using NEW-PAGE PRINT ON.
      below is the syntax for this.
         NEW-PAGE PRINT ON [NEW-SECTION]
                    [<params> | PARAMETERS <pripar>]
                    [ARCHIVE PARAMETERS <arcpar>]
                    [NO DIALOG].
    Regards
    Ramanjaneya Reddy.
    [email protected]

  • In iTunes 10, I could type "Sinatra" in the search file, and would get a list of all tracks with "Sinatra" in any field.   In iTunes 11 I get these clever little windows, with nice arrows, but no lists to view.   What am I missing?

    In iTunes 10, I could type "Sinatra" in the search file, and would get a list of all tracks with "Sinatra" in any field.   In iTunes 11 I get these clever little windows, with nice arrows, but no lists to view.   What am I missing?

    Thanks for chipping in.   I discovered something after trying what you suggested.   I have quite a few collections of hits by year from Time Life and Billboard.  I've eliminated duplicate tracks that appear in both collections (or other CDs for that matter), but cross-reference the CD where I deleted the track and placed in in the comments section of the CD track I retained.   If I "search" by song name, only the remaining track appears.   But if I want to hear for example Classic Rock 1964, only those tracks remaining would be there when I pull up that CD.   So, I type "Classic Rock 1964,"  in the search field.  First the boxes on the right of the screen open up showing album icons.  Showing four tracks by album with a button to view 10 more, then four songs with an option to vies 18 more.   I finally noticed that at the top of the boxes is a blue band that reads, :Show Classic Rock 1964 in Music.  When I double click on this blue band, all 24 tracks from the original CD appear in the song list format even though I had deleted two of them because they appeard in a Beach Boys CD.   On those tracks, I had referenced Classic Rock 1964 in the comments field.    So, bottom line, Search will also look in the comments field if you click "filter by all" in the magnifying glass to the left of the search field.   And you can move all tracks that if finds into a song list by double clicking on the blue band.

  • HT201253 iTunes keeps freezing up when trying to sync my iPod on my Windows 7 computer.  Will not go past "Determining which tracks to sync".  Any advice?

    iTunes keeps freezing up when trying to sync my iPod on my Windows 7 computer.  Will not go past "Determining which tracks to sync".  Any advice?

    Hello clarikr,
    After reviewing your post, I have located an article that can help with iTunes for Windows. It contains a number of troubleshooting steps and helpful advice for the issue you are experiencing:
    iTunes for Windows Vista, Windows 7, or Windows 8: Fix unexpected quits or launch issues - Apple Support
    Thank you for contributing to Apple Support Communities.
    Cheers,
    BobbyD

  • Ever since upgrading to Mountain Lion, my AOL messages sometimes, but not always open with a blank page. If I open AOL in Firefox, the messages open fine.  This does not happen with any messages by any means, and it is not any type of certain message

    Ever since upgrading to Mountain Lion, my AOL messages sometimes, but not always open with a blank page. If I open AOL in Firefox, the messages open fine.  This does not happen with any messages by any means, and it is not any type of certain message. In fact, in the same screen I can often open an email from the same sender with email intact. This is weird. Sometimes I close the page and open a new page. Sometimes that works and sometimes it does not. It is a very annoying thing.

    Hi,
    When you start Messages fro the first time you are asked for an Apple ID
    When this is verified and entered it appears in Messages Menu > Preference > Accounts and is Enabled.
    The App should have also picked on on those iChat Accounst you had before.
    These should be Enabled if they were when you last used iChat.
    Exactly which "Accounts" are logged in can be seen in Message Menu > Accounts and will include the iMessage "Account" and Bonjour.
    In the Window menu you will see CMD +0 for the Messages window and CMD+1 for the "Buddies" window which is a combined list at this stage.
    Go to the Preferences > General Section and Untick the "Collect all accounts into one list".
    This will give you separate iChat type Buddy lists.
    You can check if that account/Buddy list is set to Invisible or if in the Preferences > Accounts > Security you have settings that will block some people from seeing you as On line.
    You are saying Buddies can see you as On Line which implies they are still sending to your AIM based Names (@Mac.com is a valid AIM Screen Name)
    I am not sure from your post if you are trying to iMessage their email IDs thinking they are Apple IDs and that they are using Messages as well.
    There is no Buddy list for iMessages side
    No-one can tell you are "On Line" until they have your details in the "To" spot in Messages with the correct iMessaged contact info (iPhone Number or Apple ID)
    Obviously an Apple ID can be an email or look like one.
    In some cases they are also valid AIM Screen Names as well.
    In the case or the @mac.com name you may have linked this Apple ID to iMessages as well.
    11:31 PM      Saturday; August 11, 2012
    Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
      iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.6.8),
    "Limit the Logs to the Bits above Binary Images."  No, Seriously

  • An attempt to open a pdf file with Photoshop Elements (version 12) resulted in a pop generated by the Photoshop Editor stated "Impossible to execute this operation (opening file) because one of the specified colour is not managed". Is there any mean to ad

    An attempt to open a pdf file with Photoshop Elements (version 12) resulted in a pop generated by the Photoshop Editor stated "Impossible to execute this operation (opening file) because one of the specified colour is not managed". Is there any mean to adapt the file to make its reading possible?
    Did somebody get the same problem?

    It is a high order probability that your SQL's report generator is creating the PDF, not Acrobat (which by design and EULA cannot be used in as/with server).
    That the report generator outputs to an old-old version of PDF bears this out.
    Wiki articles on PDF are very nice for those high level intro summaries.
    To know / understand PDF you purchase and study the ISO Standard for PDF (ISO 32000-1:2008).
    Rather than "PDF validation" you may want to consider addressing the appearent root cause of the problem(s).
    You can change the email2fax application to one that can deal with older PDF versions.
    You can change the report generator to one that can output to the ISO Standard.
    (Perhaps the in-use application can be configured to output to the current version of PDF (i.e., the ISO Standard).
    Be well...

  • I have lost my iPhone4. Did not have find my iPhone app. Is there any means of finding my phone and retrieving photos and contacts?

    I have lost my iPhone 4S. I did not have the find my iPhone application on my phone. Is there any means of, finding my handset and retrieving photos and contacts?

    Report it to police as stolen. No other option.
    Pete

  • My Creative Cloud desktop app does not display any means of signing in to my account. What would be the reason?

    Creative Cloud desktop app does not display any means of signing in to my account. What would be the reason

    BLANK Cloud Screen http://forums.adobe.com/message/5484303 may help
    -and step by step http://forums.adobe.com/thread/1440508?tstart=0
    -and http://helpx.adobe.com/creative-cloud/kb/blank-white-screen-ccp.html
    or
    Chat Now button near the bottom for Activation and Deactivation problems may help
    http://helpx.adobe.com/x-productkb/policy-pricing/activation-deactivation-products.html

  • My iphone was taken by somebody but i dint have find my iphone app enabled.is it possible for me to get it back in any means or??

    my iphone was taken without find my iphone app. can i use any means and get it back either with my carrier or something else

    No.

  • HT3228 I have one of the origin iPads. Suddenly when I receive an email only the headings are shown - the body of the text is blank. Also previously received emails have also had the text body removed. Any suggestions as to what caused this?

    I have one of the original iPads. Suddenly (from yesterday) when I receive an email only the headings are shown - the body of the text is blank. Also previously received emails have also had the text body removed. Any suggestions as to what caused this?

    Try this.
    Reset the iPad by holding down on the sleep and home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider - let go of the buttons.

  • Is there any means to recover a deleted session

    Is there any means to recover a deleted session
    (The session was deleted using SM35)

    Dear Usha,
    Welcome to SDN.
    Check this link.
    Deleted BDC sessions
    Regards,
    J.Jayanthi

  • Any means to check the existence of a .pdf file before opening in SAP GUI

    Dear,
    I've learnt from one of the thread that there is a sample program SAP_PDF_VIEWER_DEMO that allows us to open a .pdf file within a SAP windows.
    However, I would like to know if there are any means to perform a checking on the existence of the .pdf file first before calling the method open_document as coded in the demo program.
    Thanks a lot for your advise in advance,
    Francis

    where is this pdf file is ? in user desktop?
    if yes you can simply use cl_gui_html_viewer for viewing pdf files. and you can use cl_gui_frontend_service=>file_exists method to check whether the file exists
    Raja

  • When I try to download and install the latest software version of iTunes, this message occurs:  "iTunes has an invalid signature.  The download has been removed."  Any suggestions?

    When I try to download and install the latest software version of iTunes, this message occurs:  "iTunes has an invalid signature.  The download has been removed."  Any suggestions?

    You seem to have an iTunes problem and not an iPod problem.  I suggest posting in the iTunes forum.
    How areyou doing the download?
    From Apple's site?
    Via the Apple downloader
    PC or Mac?

  • HT1937 stolen 4s os6 track my phone off any way to turn on remotley or any other revovery options

    stolen 4s os6 track my phone off any way to turn on remotley or any other revovery options

    No.
    What to do if your iOS device is lost or stolen
    http://support.apple.com/kb/HT5668

Maybe you are looking for

  • Excise duty need to calcuate in MIGO from date of purchase order

    Dear Guru: Excise duty from this March has been change. We have the purchse order which is created in last month and vendor is also supply materil in last month. So Excise duty in Vendor invoice is coming 16% but when we are going to post GRN through

  • How do I "auto shuffle" photos in a table?

    Hi! I have a page of 33 headshot photos. I'd like the photos to "auto rotate" so that the same photo is not always top left, etc.....is there a somewhat simple way to do this? The page I am referring to is: http://www.arlingtondesigncenter.com/findad

  • Cannot Sync a Particular Artist/Album on my Ipod Nano

    I have seen other threads regarding this problem. The issue seems to be associated with compilations ... which mine is (Ultimate Collection: Captain and Tennille). The songs appear on the nano if you dig deep under songs, but I cannot get the music t

  • Can existing JSF apps import into JSC

    I have a a number of existing JSF applications that were manually created (JSP,code, etc)musing JSF 1.0 FCS. I have tried to import these into the visual designer JSC to look at how they would display but it seems that the JSF tags are aways stripped

  • Keychain error when trying to start backup on time machine

    I have not been able to get my time machine working. It appears to be set up but when I put my password in it says there is a keychain error -25299. I have tried repair, restart keychain back to factory setting. Does anyone have answers? Thanks